Getting an error when using CIS-CAT Pro Assessor to scan a postgres Database with ssl=true
Product Name
CIS-CAT Pro Assessor
Product Version
All
Date
Apr 12, 2022
Problem
Getting the following error when assessing a postgres DB with ssl=true:
The connection works fine with ssl=false, but we require SSL connectivity.
"Exception in thread "main" org.postgresql.util.PSQLException: Could not open SSL root certificate file /root/.postgresql/root.crt."
Solution
The ongoing Postgres jdbc driver updates is effecting our tools use of ssl=true
. More on that here: https://github.com/pgjdbc/pgjdbc/issues/1307 [There is a lot of information from community users in this thread.]
Postgres is, at least temporarily, switching to sslmode=require
. If you require certificate validation this Postgres provided solution may not be ideal, especially if this option would mean no certificate validation.
Here’s the their official “fix” (they more or less replace ssl=true
with sslmode=require
) https://github.com/palantir/atlasdb/pull/5908
Once/ if Postgres fixes the root of this issue - the jdbc drivers - we would be able to start assessing if/how their fix would integrate into our tooling.
To track changes:
Keep an eye out for news that Postgres has resolved their jdbc driver issue
Join the : CIS Members : CIS-CAT Discussion CIS WorkBench Community
Search for, or start, a discussion around this topic. Since our Benchmarks are community driven, it is possible someone has/will have already started a similar discussion when the Postgres drivers are resolved.
These workbench discussions are with other community members and occasionally Developers and Benchmark Leads. They take suggestions and concerns into consideration as they develop future Benchmark and Benchmark revisions. It isn’t a ticketing-based support system and responses are not guaranteed.
Set up notifications for the community or the discussion itself to track and gauge interest
Check the CIS-CAT Pro Assessor v4 Change Logs for this feature to see which issues have been resolved/ integrated.
As the update to the drivers needs to come directly from Postgres, CIS doesn't have an official timeline or any guarantee this feature will continue to be a part of CIS-CAT Pro Assessor.
Keywords; postgres ssl=true
Content by Label